Get instant notifications when admin privileges are granted or revoked on your Mac.
Integrates with SAP Privileges to send real-time notifications to ntfy.sh whenever you toggle admin privileges. Perfect for monitoring your own Mac or keeping tabs on family devices.
Features:
- Instant notifications via ntfy.sh (or any webhook)
- Touch ID authentication required
- Reason required (10-250 characters)
- Time limits (20 min default, 60 min max)
- JSON payload with machine name, user, state, reason, and timestamp
- SAP Privileges app - Download here
- ntfy.sh topic - Create one at ntfy.sh (free)
Copy the template and add your ntfy.sh details:
cp privileges_config.env.template privileges_config.envEdit privileges_config.env:
# Your ntfy.sh topic URL
POST_URL="https://ntfy.sh/your_topic_here"
# Your ntfy.sh access token (if using auth)
AUTH_TOKEN="tk_your_token_here"./setup.sh
./install_profile.shThe setup script installs the notification script, and the profile installer:
- Copies the configuration profile to the user's Downloads folder
- Opens it in System Settings
- Prompts you to install it
- Restarts SAP Privileges
Important: You must install the configuration profile in System Settings when prompted. This is what enables Touch ID, reason prompts, and the notification hook.
- Open SAP Privileges (menu bar icon)
- Click to toggle admin privileges
- You should see:
- Touch ID authentication
- Reason dialog
- Time duration selector
- Check your ntfy.sh topic for the notification!
User toggles privileges
↓
SAP Privileges prompts for Touch ID + reason
↓
On success, calls privileges_post_change.sh
↓
Script formats notification with JSON data
↓
Sends to ntfy.sh via webhook
↓
You get instant notification!
{
"machine": "macbook-pro",
"user": "gordon",
"state": "admin",
"message": "User promoted to Administrator",
"reason": "Installing Docker Desktop",
"time": "2026-01-29T12:30:00Z"
}The ntfy.sh notification shows:
Title: Privilege Change: macbook-pro
Body:
Machine: macbook-pro
User: gordon
Status: User promoted to Administrator
Reason: Installing Docker Desktop
Time: 2026-01-29T12:30:00Z
com.sap.privileges.config.mobileconfig- Configuration profile for SAP Privilegesprivileges_post_change.sh- Notification script called by SAP Privilegesprivileges_config.env.template- Template for your ntfy.sh configurationsetup.sh- Installs the notification scriptinstall_profile.sh- Guides you through profile installation
The configuration profile isn't installed:
# Check if installed
sudo profiles show | grep -A 5 "SAP Privileges"
# If not found, run install_profile.sh again
./install_profile.shCheck the script is installed and configured:
# Verify script exists
ls -la /usr/local/bin/privileges-monitor/
# Check config
cat /usr/local/bin/privileges-monitor/privileges_config.env
# Test ntfy.sh connectivity
curl -H "Authorization: Bearer YOUR_TOKEN" \
-d "Test message" \
https://ntfy.sh/your_topicCheck system logs:
log show --predicate 'subsystem == "corp.sap.privileges"' --last 5m
log show --predicate 'process == "privileges-monitor"' --last 5mMake sure you're installing it as a System profile, not a User profile. When you open the .mobileconfig file, it should take you to System Settings > General > Device Management (or Profiles).
Remove the configuration profile:
- System Settings > General > Device Management
- Select "SAP Privileges Configuration"
- Click Remove
Remove the scripts:
sudo rm -rf /usr/local/bin/privileges-monitor/This is a "Trust but Verify" solution. Users with admin privileges can technically disable these notifications. It's designed for environments where you want visibility without creating friction—perfect for personal Macs or family devices, not for strict enterprise lockdown.
For more robust lockdown options that work well with this setup too, see this guide.